verification_failed -> signature_refused

agent/integration/job_verification_integration_test.go

@@ -102,7 +102,7 @@ func TestJobVerification(t *testing.T) {
 			job:                      jobWithInvalidSignature,
 			mockBootstrapExpectation: func(bt *bintest.Mock) { bt.Expect().NotCalled() },
 			expectedExitStatus:       "-1",
-			expectedSignalReason:     agent.SignalReasonVerificationFailed,
+			expectedSignalReason:     agent.SignalReasonSignatureRejected,
 			expectLogsContain:        []string{"⚠️ ERROR"},
 		},
 		{
@@ -127,7 +127,7 @@ func TestJobVerification(t *testing.T) {
 			job:                      jobWithNoSignature,
 			mockBootstrapExpectation: func(bt *bintest.Mock) { bt.Expect().NotCalled() },
 			expectedExitStatus:       "-1",
-			expectedSignalReason:     agent.SignalReasonVerificationFailed,
+			expectedSignalReason:     agent.SignalReasonSignatureRejected,
 			expectLogsContain:        []string{"⚠️ ERROR"},
 		},
 		{
@@ -144,7 +144,7 @@ func TestJobVerification(t *testing.T) {
 			job:                      jobWithMismatchedStepAndJob,
 			mockBootstrapExpectation: func(bt *bintest.Mock) { bt.Expect().NotCalled() },
 			expectedExitStatus:       "-1",
-			expectedSignalReason:     agent.SignalReasonVerificationFailed,
+			expectedSignalReason:     agent.SignalReasonSignatureRejected,
 			expectLogsContain: []string{
 				"⚠️ ERROR",
 				fmt.Sprintf(`the value of field "command" on the job (%q) does not match the value of the field on the step (%q)`,
@@ -238,7 +238,7 @@ func TestWhenTheJobHasASignature_ButTheJobRunnerCantVerify_ItRefusesTheJob(t *te
 		}
 	}
 
-	if got, want := finish.SignalReason, agent.SignalReasonVerificationFailed; got != want {
+	if got, want := finish.SignalReason, agent.SignalReasonSignatureRejected; got != want {
 		t.Errorf("job.SignalReason = %q, want %q", got, want)
 	}
 }

agent/run_job.go

@@ -19,11 +19,11 @@ import (
 )
 
 const (
-	SignalReasonAgentRefused       = "agent_refused"
-	SignalReasonAgentStop          = "agent_stop"
-	SignalReasonCancel             = "cancel"
-	SignalReasonVerificationFailed = "verification_failed"
-	SignalReasonProcessRunError    = "process_run_error"
+	SignalReasonAgentRefused      = "agent_refused"
+	SignalReasonAgentStop         = "agent_stop"
+	SignalReasonCancel            = "cancel"
+	SignalReasonSignatureRejected = "signature_rejected"
+	SignalReasonProcessRunError   = "process_run_error"
 )
 
 // Runs the job
@@ -95,7 +95,7 @@ func (r *JobRunner) Run(ctx context.Context) error {
 			VerificationBehaviourBlock,
 		)
 		exit.Status = -1
-		exit.SignalReason = SignalReasonVerificationFailed
+		exit.SignalReason = SignalReasonSignatureRejected
 		return nil
 	}
 
@@ -106,22 +106,22 @@ func (r *JobRunner) Run(ctx context.Context) error {
 			r.verificationFailureLogs(err, r.NoSignatureBehavior)
 			if r.NoSignatureBehavior == VerificationBehaviourBlock {
 				exit.Status = -1
-				exit.SignalReason = SignalReasonVerificationFailed
+				exit.SignalReason = SignalReasonSignatureRejected
 				return nil
 			}
 
 		case errors.As(err, &ise):
 			r.verificationFailureLogs(err, r.InvalidSignatureBehavior)
 			if r.InvalidSignatureBehavior == VerificationBehaviourBlock {
 				exit.Status = -1
-				exit.SignalReason = SignalReasonVerificationFailed
+				exit.SignalReason = SignalReasonSignatureRejected
 				return nil
 			}
 
 		case err != nil: // some other error
 			r.verificationFailureLogs(err, VerificationBehaviourBlock) // errors in verification are always fatal
 			exit.Status = -1
-			exit.SignalReason = SignalReasonVerificationFailed
+			exit.SignalReason = SignalReasonSignatureRejected
 			return nil
 
 		default: // no error, all good, keep going